Security Incidents mailing list archives
DoS worm
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 20 Oct 2004 13:48:02 -0700
Yesterday, someone (we believe it was one of our students) unplugged a lab Mac from the campus network and plugged in a PC (laptop, we assume). Besides whatever the user wanted, it apparently did three things: 1. Attempt to open a lot of connections (port 22, SSH) to shaman.exodus.ro (62.80.109.128), then 2. Send a SYN flood, spoofing the source address as 0.0.0.0, to ports 22 and 80 of weed.powered.at (195.149.115.18), and 3. Probe random addresses in our Class B space (port 445, CIFS); if it got a connection, it tried various SMB-type things amongst which I was able to pick out the string "IPC". Five other machines in our space eventually demonstrated similar symptoms. I don't know what this beast is. I infer that #2 is a DoS attack which is perhaps the purpose of the worm, and that #3 is its spread vector via the IPC$ share. Anybody recognize this? Dave Gillett
Current thread:
- re: Systems compromised with ShellBOT perl script - part 2 security (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Meder Kydyraliev (Oct 20)
- re: Systems compromised with ShellBOT perl script - part 2 Jim Halfpenny (Oct 20)
- DoS worm David Gillett (Oct 20)
- Re: DoS worm Nick FitzGerald (Oct 21)
- DoS worm David Gillett (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Jeffrey Denton (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Martin Mačok (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Harry de Grote (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Stephen J. Smoogen (Oct 20)
- RE: Systems compromised with ShellBOT perl script - part 2 KEM Hosting (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Thomas Hochstein (Oct 21)
- Re: Systems compromised with ShellBOT perl script - part 2 Paul Schmehl (Oct 22)
- <Possible follow-ups>
- RE: Systems compromised with ShellBOT perl script - part 2 KEM Hosting (Oct 20)
(Thread continues...)